I'm trying to learn how the kernel works, during the process, using WinDbg, i have put a breakpoint at the Page Fault handler, after "swapgs" and "lfence" instructions: Page Fault Handler After I resume execution and WinDbg breaks, GS value stays the same (0x2B).
I tried reading the "MSR_KERNEL_GS_BASE" (0xC0000102) with rdmsr, and examining the memory around GS:[9018h], but it is uninitialized: Memory at GS
(I also tried converting physical to virtual address (!ptov 0xDB3A0CF018), thinking that might be the case. no success.) Yet after stepping through, the Bit Test instruction sets the Carry Flag.
Now than, what am I missing? Why GS does not update in WinDbg? Why does the memory around GS from the MSR cant be read? What's happening behind the scenes in the case of "bt dword ptr gs:[9018h], 1"? Is there a way to read the kernel memory that is being tested?